After a data breach or cyberattack, companies can face audit committee-driven reviews, regulatory scrutiny, and class action lawsuits. General Counsel (GC) must often defend their companies against claims of poor pre-breach security and deficient post-breach response.
Increasingly, smart GCs are using their powerful positions to help companies proactively improve security and incident response readiness. The unique ability of a GC to understand how security posture will be judged from a legal and regulatory perspective, post-breach, can improve security, help to identify and eliminate hard-to-defend vulnerabilities, and as a result improve companies’ pre–breach posture.
How can the GC help? Become an active (and proactive) voice in corporate cybersecurity
In Stroz Friedberg’s experience, class action claims normally allege the company did not:
- Practice pre-breach IT security with due care
- Identify and remediate known vulnerabilities
- Detect the full scope of a breach fast enough
- Kick the attacker out as quickly as it should have
- Accurately report the number of customers affected
- Provide customers with timely notice
To help a company mitigate easily avoidable pitfalls, the GC should be in a collaborative dialogue with the CISO and CIO. In our experience, we’ve found the following questions are a good framework for discussion:
1. How has the company assessed cybersecurity?
- Are there written security assessments? Review them – they are post-breach fodder.
- How did the company fare in these assessments? Assessments are often more harsh than IT management’s own summary representations.
- What standards were used for the assessment? There are several standards to choose from, some of which are industry specific. It’s important to know which one was selected and why.Are assessments risk-ranked with prioritized mitigation fixes? Have the vulnerabilities identified in assessments been remediated or is there a mitigation program in place? Long lists of un-prioritized vulnerabilities – which are typically delivered by auditors – can leave your company open to accusations of insufficient pre-breach security. It’s easier to defend a delay in remediation of low risk security gaps, if more critical vulnerabilities were addressed first.
2. Is the company adequately prepared and defended?
- Has the company implemented all necessary security layers? Knowing what layers of security and staffing the CISO or CIO has asked for in the past and not been able to secure funding for can help you prepare for questions that arise after a breach.
- Does the company have adequate plans, technologies, technical responders, and data breach counsel in position to facilitate incident response? Some technologies take a long time to position, so this is best dealt with prior to a breach. As important as technology is, having an outside expert conduct a readiness assessment and putting a retainer in place with a response firm speeds your ability to mitigate an incident.
- Have “table-tops” (i.e., exercises which simulate the company’s response to potential breaches) been conducted to familiarize all relevant stakeholders with their roles and responsibilities in the event of a breach? Practice makes perfect. Highly tailored breach drills based on your company’s risk profile are a very effective way to optimize response in a moment of crisis. Table tops get everyone comfortable with their roles and with each other – in house staff, outside counsel and technical responders must have an agreed approach to incident response to avoid conflicts during an incident.
Don’t let your company be caught off guard. Engage with your CISO and CIO today to take concrete steps towards improved security. If you’re not sure where to start, an outside expert’s view can be an invaluable aid to determine whether pre-breach security is taken seriously overall, and to benchmark the company against best practices.